Destroying Prestashop?

[skijump]

Using the strongly worded title of "Destroying Prestashop" to bring attention to a possible Prestashop spam campaign to degrade/fatigue Prestashop installers/operators. Managing 8 PS shops and 4 shops for others and the amount of email/customer spam is bringing fatigue (even brand new sites with PS installed receive spam in hours).  Wanted to bring this topic up before 2026 in hopes of keeping myself/others on PS. All ideas welcome and captchas are used 

[Daresh]

Instead of Captcha try Coludflare Turnstile. It appears to be more effective in blocking spam. A free module is available on GitHub.

[darkin]

I just disabled PS contact us form. e-mail address is left and those who wanna can contact and somehow e-mail providers are better dealing with spam...

[Mediacom87]

Hi,

I fixed the problem on my websites and those of my clients simply by using my Captcha module, which is completely independent of external solutions and therefore won't be disrupted if the service it's linked to stops working, as happens with Google or Cloudflare.

[endriu107]

This isn't a PrestaShop issue. Spam is a global problem for all websites with forms. This can be fixed in PrestaShop, but again, it's not just a PrestaShop issue. A few years ago, I created a module that protects contact forms on multiple levels, not just captcha, but also filters for words, email addresses, domains, etc., which is more than enough to stop spam. I have many satisfied customers who use this module and don't need external services to secure their forms.

[El Patron]

19 hours ago, Daresh said:

Instead of Captcha try Coludflare Turnstile. It appears to be more effective in blocking spam. A free module is available on GitHub.

Totally agree. Cloudflare Turnstile is currently the best public-facing solution — it’s lightweight, privacy-friendly, and avoids all the customer friction that comes with traditional CAPTCHA modules. Most CAPTCHA modules in PrestaShop are poorly written, and they inevitably create random checkout or login issues that you can’t even reproduce during testing.

The bigger point: all websites are vulnerable, and you can’t rely on a couple of PrestaShop modules to protect you. Serious protection happens outside of PrestaShop:

Host-level firewalls and WAF (Web Application Firewall)
Use a hosting provider that supports real firewall rules (not just “security plugins”). A properly configured WAF will block malicious payloads long before they ever reach PrestaShop.

mod_security with a maintained ruleset
mod_security with OWASP CRS (and custom rules for known PrestaShop attacks) is a BEST PRACTICE. This blocks SQL injection attempts, fake form submissions, bot probing, known exploit patterns, and a ton of automated scanners that run 24/7.

Cloudflare or equivalent DNS proxy protection
Even on the free tier, Cloudflare provides rate limiting, bot filtering, and network-level DDoS mitigation. Combine this with Turnstile and you eliminate most automated attack vectors before they touch your server.

Server-level rate limits
Limit POST requests per IP, throttle login attempts, and block failed cart / checkout spam. These are easy NGINX / Apache rules that most hosting companies simply don’t bother enabling by default.

Bottom line:

PrestaShop is not inherently “insecure,” but it is soft if you treat it like a WordPress blog and never harden the environment around it.

Protect the perimeter first, then add smart in-app protections. That’s the formula.

[skijump]

Thanks for all the suggestions to manage PS spam. In 48 hours, on a new PS website, we received 700+ registrations with non-sensical first/last names but seemingly real email addresses. (Not seeing that with Shopify. Not recommending Shopify, just noting the two platform spam differences.) Always wanted to note there might be a targeted campaign to reduce the enjoyment of PS which is a great platform for selling.

[endriu107]

5 minutes ago, skijump said:

we received 700+ registrations with non-sensical first/last names but seemingly real email addresses

So the problem isn't with the contact form, but with customer registration. You used my module a while ago and it worked in your store, but now it stops working?

 

 

[skijump]

@endriu107 Correct. It was useful 10 months ago. I'll DM and discuss improvements needed if desired.

I'll just note again that PS might have a bad actor(s) against it. Goodluck!

[Mediacom87]

il y a 53 minutes, skijump a dit :

I'll just note again that PS might have a bad actor(s) against it. Goodluck!

Well, it's just bots on zombie computers doing that now, no one with any real malicious intent, just low-level hackers.

[Prestashop Addict]

A free module on Github

[Mediacom87]

il y a 52 minutes, Prestashop Addict a dit :

A free module on Github

A module that uses a third-party service that can and has already failed, thereby blocking commerce.

Use with caution.

[El Patron]

23 hours ago, Mediacom87 said:

A module that uses a third-party service that can and has already failed, thereby blocking commerce.

Use with caution.

https://prestaheroes.com/blogs/prestashop-alerts/why-you-should-never-use-free-or-even-paid-modules-from-the-prestashop-forum-without-caution